Once Again With Feeling: 'Anonymized' Data Isn't Really Anonymous

from the we-can-see-you dept

For years, the companies that hoover up your internet browsing and other data have proclaimed that you don't really have anything to worry about, because the data collected on you is "anonymized." In other words, because the data collected about you is assigned a random number and not your name, you should be entirely comfortable with everything from your car to your smart toaster hoovering up your daily habits and selling them to the highest bidder. But studies have repeatedly shown that it only takes a few additional contextual clues to flesh out individual identities. So in an era of cellular location, GPS, and even smart electricity data collection, it doesn't take much work to build a pretty reliable profile on who you are and what you've been up to.

The latest case in point: German journalist Svea Eckert and data scientist Andreas Dewes recently descended upon Defcon to once again make this point, releasing a new report highlighting how "anonymous" browsing data is anything but. The duo found it relatively trivial to obtain clickstream browsing data from numerous companies simply by posing as a fake marketing company, replete with a website filled with “many nice pictures and some marketing buzzwords." Ironically, some of this data was gleaned from companies that profess to offer you additional layers of privacy, including “safe surfing” tool Web of Trust.

It didn't take long before the pair was able to obtain a database containing more than 3 billion URLs from roughly three million German internet users, spread across roughly 9 million different websites. However easy obtaining the "private" and "anonymous" browsing data was, using this data to quickly and easily identify individual users was even easier:

"Dewes described some methods by which a canny broker can find an individual in the noise, just from a long list of URLs and timestamps. Some make things very easy: for instance, anyone who visits their own analytics page on Twitter ends up with a URL in their browsing record which contains their Twitter username, and is only visible to them. Find that URL, and you’ve linked the anonymous data to an actual person. A similar trick works for German social networking site Xing."

The pair also highlighted how repetitive visitation of websites specific to you (your bank, your hobbies, your neighborhood) help further narrow down your identity:

"For other users, a more probabilistic approach can deanonymise them. For instance, a mere 10 URLs can be enough to uniquely identify someone – just think, for instance, of how few people there are at your company, with your bank, your hobby, your preferred newspaper and your mobile phone provider. By creating “fingerprints” from the data, it’s possible to compare it to other, more public, sources of what URLs people have visited, such as social media accounts, or public YouTube playlists."

Of course this is nothing new, and researchers have been making this precise point for several years now. Princeton researcher Arvind Narayanan in particular has been warning that anonymous data isn't really anonymous for the better part of the last decade, yet somehow the message never seems to resonate, and everyone from broadband providers to internet of things companies continue to pretend that "anonymization" of data is some kind of impenetrable, mystical firewall preventing companies or hackers from identifying you.

Reader Comments

Breaking down the breakdown

They are just following the Governments lead. The Government says it's just meta data and doesn't mean anything, so the advertising firms take this (without grains of salt) and make the same claim.

Then, because meta data is actually a whole lot more than nothing, they send you advertising for things you don't want because their data mining said that you would want it. Following the same recipe, product creators pay the advertisers for sending advertising no one wants, and everybody is happy. Well...almost.

Re: Breaking down the breakdown

..and?

Karl, if you follow an individual around during the day and note all the places they go when in public, you can draw the same conclusions.

I can randomly pick a person and, within a few days, tell you who their immediately family is, what they like to eat, where they work, and so on.

The internet is a public place. Even if you make the effort to hide yourself, the reality is that you are walking in public places. Like it or not, everything you do online has a certain public nature to it.

Re: ..and?

Go follow ten million people in an afternoon and let us know how you make out.

The internet is a public place, but companies bulk harvesting data are essentially going through your pockets and then removing you name from the generated report of the contents and claim that is anonymous.

None of this is the same as following an individual around meatspace or the internet. (Never mind that what your car or appliances or what have do is not "the internet".) Repeated claims of anonymization, when those claims are complete bunk, is rather more the point. When you go following someone around, and say, report your gathered intel to another party, merely without the subjects name, and claim that is anonymous, would you be telling the truth? (And not a merely technical truth-flavoured thing.)

Re: Re: ..and?

"companies bulk harvesting data are essentially going through your pockets and then removing you name from the generated report of the contents and claim that is anonymous."

Colorful description aside, you miss the point. Technology allows it. Face it, technology can track you. The phone in your pocket is a beacon to your location. Facial recognition cameras can pinpoint your location and everything from your fastpass car transponder to your refillable public transit card is tracking your every move. Technology allows for it, and it's often an unavoidable trade off for the technology to even work.

The internet is no different in reality. Google and a large number of other companies are tracking you ever day. What makes this story sort of funny is that coming to Techdirt triggers over 40 tracking cookies from a half a dozen sources. Each page view sends you visit data (anonymous, natch) to soundcloud and others, who can track your interest in the sorts of things discussed here.

For reference, EFF.ORG sets a single cookie for their own use only. A visit to the Drudge Report triggers hundreds of cookies.

There hasn't been a level of tracking in "meatspace" because Technology hasn't supported it in the past. But the cell phone alone has clearly changed all that, and all those other things I mentioned before are all conspiring to tell the world where you have been and what you do.

Is the data anonymous? At each point, it is. Combined, perhaps less so. Can we really stop one company from using your data because combining a second or third data set might be the tipping point on your anonymous life? Do you not think it's already happened?

Re: Re: Re: Re: Re: Re: ..and?

What's the issue? One of the cornerstone of Mike's tacit approval of piracy is that it is something that technology allows, so creators should suck it up and deal with it, an find ways to profit from it, rather than thinking about the losses that may occur.

Tracking is exactly the same thing. It's something that technology allows (even requires in the case of cell phones), so you should suck it up and deal with it, rather than losing sleep over what you can't avoid.

The overriding issue here is ..

that javascript has been perverted for evil.

If you browse without blocking a single thing .. then yeah, sure you are going to be tracked in six degrees of separation.

The only the defense (such as it is) anyone has is to run Noscript and requestpolicy in a default "block everything" configuration enabling only the javascript that is needed to make a website functional. Even then, I have to run fiddler to load stripped out .js files for googletagmanager et al so that the rest of the website will function.

For example:

window.confirm("This is the blank gtm.js file loading.");

The next line of defense is to not use social media. Period. Fuck social media.

Re: So I assume...

Why? What's that article got to do with this one?

That article is about how when ISPs resell data, they're actually selling targeted advertisements. This article is about how companies that sell "anonymized" data are selling data that still contain personally identifiable information. What's the connection?

Once more with feeling...

Buffy is good allegory, the early internet was fun, frustrating, dynamic and human.. until all our friends came along and pulled us out of heaven into the squalid cease pit that is face fuck and the other big 5, except in this case there intentions when never good it was obvious that it was a devils bargain from the start.